From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id D09B4A056E; Wed, 11 Mar 2020 19:35:51 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id A3CC52BE6; Wed, 11 Mar 2020 19:35:50 +0100 (CET) Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) by dpdk.org (Postfix) with ESMTP id 0B6542BAA for ; Wed, 11 Mar 2020 19:35:48 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1583951748; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=I8iXIUDNbxj9Jl7ca73BCmnMN9mhWm582R+HuMe6xxg=; b=MdglEJEOVVehs3zIA5mmmsMiNstnK95DLiHqdLURGVAMgInRFkf94zqfgoZL0CWiLcv8be GjFsUfTs+2VZQziuK/byOBMwN+O4PJYLNKKkRrTN4LaM05pyt6icmzGIdppWbl87zFBtrK 2qYV0m1gkLByEnm7R6CLYou58qNwNVU= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-139-S-PMqkXbPZSOUg3Ck4MmzQ-1; Wed, 11 Mar 2020 14:35:40 -0400 X-MC-Unique: S-PMqkXbPZSOUg3Ck4MmzQ-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1EDAC108C313; Wed, 11 Mar 2020 18:35:39 +0000 (UTC) Received: from dhcp-25.97.bos.redhat.com (unknown [10.18.25.84]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4415F5DA60; Wed, 11 Mar 2020 18:35:35 +0000 (UTC) From: Aaron Conole To: Thomas Monjalon Cc: dev@dpdk.org, john.mcnamara@intel.com, david.marchand@redhat.com References: <8562014.CDJkKcVGEf@xps> <1774839.IobQ9Gjlxr@xps> Date: Wed, 11 Mar 2020 14:35:34 -0400 In-Reply-To: <1774839.IobQ9Gjlxr@xps> (Thomas Monjalon's message of "Wed, 11 Mar 2020 19:02:18 +0100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Subject: Re: [dpdk-dev] Coverity scan X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Thomas Monjalon writes: > 11/03/2020 18:34, Aaron Conole: >> Thomas Monjalon writes: >>=20 >> > We have a public Coverity scan triggered by John for the community: >> > =09https://scan.coverity.com/projects/dpdk-data-plane-development-kit >> > Note there is a tool to help with this task: >> > =09http://thyrsus.com/gitweb/?p=3Dcoverity-submit.git;a=3Dshortlog;h= =3Drefs/tags/1.13 >> > >> > I see two issues with this scan: >> > =09- it is run manually >> > =09- not all code is scanned currently >> > >> > Note that we should be able to run one scan per day for free: >> > =09https://scan.coverity.com/faq#frequency >> > >> > With David, we looked at automating the Coverity scan, >> > with the help of Travis automation: >> > =09https://scan.coverity.com/travis_ci >> > Such automation cannot be configured on the existing Coverity project. >>=20 >> Why not? > > Because Coverity does not allow it. > Travis integration is possible only if the project was created with GitHu= b credentials. > > >> > I tried to open a new Coverity project connected to our GitHub. >>=20 >> I don't know that it will work. Either you'll need a separate GitHub, >> or you'll need to use a special branch. >>=20 >> > I have a very poor confidence in Coverity/Travis/GitHub integration. >> > I will explain below why. >>=20 >> Hrrm.. lots of projects use it. And they do just what you prescribe >> below (skipping jobs/builds when on the coverity branch). > > Which project is using Travis integration of Coverity? > How do they automatically update the specific branch without conflict? RabbitMQ-c looked to be doing it: https://github.com/rabbitmq/rabbitmq-c redirects to: https://github.com/alanxz/rabbitmq-c/blob/master/.travis.yml Looks like they haven't done a push in a while, though. :-/ That project also uses coveralls (something I want to integrate the DPDK project with). > >> > 1/ The instructions were wrong. In this command, there are two mistake= s: >> > =09openssl s_client -connect https://scan.coverity.com:443 | >> > =09sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | >> > =09sudo tee -a /etc/ssl/certs/ca- >> > For the record, a proper a simpler command is: >> > =09true | openssl s_client -connect scan.coverity.com:443 | >> > =09openssl x509 | >> > =09sudo tee -a /etc/ssl/certs/ca-certificates.crt >>=20 >> Okay, that's fixable. >>=20 >> > 2/ The coverity scan is triggered as a job addon. >> > The rest of the job must be cancelled with this tricky patch: >> > >> > -script: ./.ci/${TRAVIS_OS_NAME}-build.sh >> > +script: if [ "${COVERITY_SCAN_BRANCH}" !=3D 1 ] ; then ./.ci/${TRAVIS= _OS_NAME}-build.sh ; fi >>=20 >> More than that, because we probably also want: >>=20 >> if ([[ "${TRAVIS_JOB_NUMBER##*.}" =3D=3D "1" ]] && [[ "${TRAVIS_BRANCH}" >> =3D=3D "coverity_scan" ]]); then ./.ci/${TRAVIS_OS_NAME}-build.sh ; fi >>=20 >> That will only do one job (which solves 3/ below) > > OK good > >> > 3/ We need only to prepare the source code once per day. >> > But our .travis.yml has many jobs which must be dropped or ignored. >> > >> > 4/ A big encrypted token must be added in the configuration: >> > =09# encrypted COVERITY_SCAN_TOKEN >> > =09- secure: "VgRYG9N5adKkM9/QpPgswn1c+VXS1mFVN0vgdjuC/bDv2x4u...etc..= ." >>=20 >> Why it's a problem? > > It's not a problem. I explained all steps in this email, that's why it's = here. Ahh, okay. > >> > 5/ The addon is triggered when pushing to a specific branch >> > (adding config for the record): >> > =09coverity_scan: >> > =09=09project: >> > =09=09=09name: "DPDK/dpdk" >> > =09=09notification_email: test-report@dpdk.org >> > =09=09build_command_prepend: "meson build -Dexamples=3Dall" >> > =09=09build_command: "ninja -C build" >> > =09=09branch_pattern: coverity_scan >> > >> > 6/ This attempt failed with this log (no more information): >> > =09$ export PROJECT_NAME=3DDPDK/dpdk >> > =09Coverity Scan analysis selected for branch coverity_scan. >> > =09Coverity Scan API access denied. Check $PROJECT_NAME and $COVERITY_= SCAN_TOKEN. >>=20 >> Probably there is an issue with the token + PROJECT_NAME. > > Probably. How can I debug it? Need to go through the steps at (which you probably already did): https://docs.travis-ci.com/user/coverity-scan/ And make sure the account that has access to the travis repo also has access to the coverity scan project. The nice thing on that page is step 8 will have the blocks needed for the security token (that needs to go in env: global: - secure=3D...) and the project settings. I will ping you offline, though. > >> > So I am giving up with Travis+Coverity. >> > The only benefit of Travis is to have a central build configuration. >> > So when a driver is enabled in Travis, it would be scanned in Coverity= . >> > Note: Coverity does a build step to prepare the sources. >>=20 >> I can try to assist with this if you've not completely abandoned the ide= a. > > OK, feel free to ping me for troubleshooting. Will do. > >> > Now the question: how can we better configure the community Coverity s= can? >> > I propose to set it up in our community lab. >> > Comments? Suggestions? >>=20 >> Since we do have something working, but it's manual, is there a way to >> at least make it happen automatically? Maybe some cron job? > > Yes a cron job, but where? I proposed a server of the community lab. If it's just a matter of pushing something (or even a few small steps), we can add it to the robot's sunday "master" rebuild. Just need whatever credentials.